US11159316B2ActiveUtilityA1

Self-service device encryption key access

63
Assignee: VMWARE INCPriority: Jan 15, 2020Filed: Jan 15, 2020Granted: Oct 26, 2021
Est. expiryJan 15, 2040(~13.5 yrs left)· nominal 20-yr term from priority
H04L 63/068G06F 21/45H04L 9/0861H04L 9/0894H04L 2463/121H04L 63/062H04L 63/0435H04L 63/083H04L 63/0853G06F 21/602H04L 2463/061G06F 2221/2131H04L 9/3297
63
PatentIndex Score
0
Cited by
7
References
20
Claims

Abstract

Disclosed are various embodiments for providing access to a recovery key of a managed device and rotating the recovery key after it has been accessed. In one example, among others, a system includes a computing device and program instructions. The program instructions can cause the computing device to store a first recovery key for a first managed computing device. The first recovery key is configured to access an encrypted data store of the first managed computing device. A request is received for the first recovery key from a second managed computing device. The first recovery key is transmitted for display on the second managed computing device. A key rotation command is generated for a command queue of the first managed computing device to rotate the first recovery key after transmitting the first recovery key. The second recovery key is received from the second computing device.

Claims

exact text as granted — not AI-modified
Therefore, the following is claimed: 
     
       1. A system, comprising:
 a computing device; and 
 program instructions executable in the computing device that, when executed by the computing device, cause the computing device to:
 store a first recovery key for a first managed client device, wherein the first recovery key is configured to access an encrypted data store of the first managed client device; 
 receive a request for the first recovery key from a second managed client device, wherein the first managed client device and the second managed client device are associated with a managed user profile of a management service; 
 transmit the first recovery key for display to the second managed client device; 
 place a key rotation command into a command queue of the first managed client device, the key rotation command instructing the first managed client device to rotate the first recovery key in an instance in which the first recovery key has been transmitted; and 
 receive a second recovery key from the first managed client device. 
 
 
     
     
       2. The system of  claim 1 , wherein the key rotation command comprises an instruction for executing an application programming interface command of an operating system for generating the second recovery key. 
     
     
       3. The system of  claim 1 , further comprising program instructions executable in the computing device that, when executed, further cause the computing device to:
 generate an entry for an event log in an instance in which the first recovery key has been transmitted for display, wherein the entry comprises a time stamp for when the first recovery key was transmitted. 
 
     
     
       4. The system of  claim 1 , further comprising program instructions executable in the computing device that, when executed, further cause the computing device to:
 validate a credential provided by the second managed client device in an instance in which the request for the first recovery key has been received. 
 
     
     
       5. The system of  claim 1 , wherein the key rotation command comprises an instruction to rotate the first recovery key in an instance in which a period of time has expired from the first recovery key being transmitted to the second managed client device. 
     
     
       6. The system of  claim 1 , further comprising program instructions executable in the computing device that, when executed, further cause the computing device to:
 transmit the key rotation command to the first managed client device in an instance in which the first managed client device has become accessible on a network. 
 
     
     
       7. The system of  claim 6 , wherein the key rotation command comprises an instruction for the first management device to transmit the second recovery key to the computing device. 
     
     
       8. A non-transitory computer-readable medium embodying program instructions executable in at least one computing device that, when executed by the at least one computing device, cause the at least one computing device to:
 store a first recovery key for a first managed client device, wherein the first recovery key is configured to access an encrypted data store of the first managed client device; 
 receive a request for the first recovery key from a second managed client device, wherein the first managed client device and the second managed client device are associated with a managed user account of a management service; 
 transmit the first recovery key for display to the second managed client device; 
 place a key rotation command into a command queue of the first managed client device, the key rotation command instructing the first managed client device to rotate the first recovery key in an instance in which the first recovery key has been transmitted; and 
 receive a second recovery key from the first managed client device. 
 
     
     
       9. The non-transitory computer-readable medium of  claim 8 , wherein the key rotation command comprises an instruction for executing an application programming interface command of an operating system for generating the second recovery key. 
     
     
       10. The non-transitory computer-readable medium of  claim 8 , wherein the program instructions, when executed, further cause the at least one computing device to:
 generate an entry for an event log in an instance in which the first recovery key for display has been transmitted, wherein the entry comprises a time stamp for when the first recovery key was transmitted. 
 
     
     
       11. The non-transitory computer-readable medium of  claim 8 , wherein the program instructions, when executed, further cause the at least one computing device to:
 validate a credential provided by the second managed client device in an instance in which the request for the first recovery key has been received. 
 
     
     
       12. The non-transitory computer-readable medium of  claim 8 , wherein the key rotation command comprises an instruction to rotate the first recovery key in an instance in which a period of time has expired from the first recovery key being transmitted to the second managed client device. 
     
     
       13. The non-transitory computer-readable medium of  claim 8 , wherein the program instructions, when executed, further cause the at least one computing device to:
 transmit the key rotation command to the first managed client device in an instance in which the first managed client device has become accessible on a network. 
 
     
     
       14. The non-transitory computer-readable medium of  claim 13 , wherein the key rotation command comprises an instruction for the first managed client device to transmit the second recovery key to the at least one computing device. 
     
     
       15. A computer-implemented method, comprising:
 storing a first recovery key for a first managed client device, wherein the first recovery key is configured to access an encrypted data store of the first managed client device; 
 receiving a request for the first recovery key from a second managed client device, wherein the first managed client device and the second managed client device are associated with a managed user account of a management service; 
 transmitting the first recovery key for display to the second managed client device; 
 placing a key rotation command into a command queue of the first managed client device, the key rotation command instructing the first managed client device to rotate the first recovery key in an instance in which the first recovery key has been transmitted; and 
 receiving a second recovery key from the first managed client device. 
 
     
     
       16. The computer-implemented method of  claim 15 , wherein the key rotation command comprises an instruction for executing an application programming interface command of an operating system for generating the second recovery key. 
     
     
       17. The computer-implemented method of  claim 16 , further comprising:
 generating an entry for an event log in an instance in which the first recovery key for display has been transmitted, wherein the entry comprises a time stamp for when the first recovery key was transmitted. 
 
     
     
       18. The computer-implemented method of  claim 16 , further comprising:
 validating a credential provided by the second managed client device in an instance in which the request for the first recovery key has been received. 
 
     
     
       19. The computer-implemented method of  claim 15 , wherein the key rotation command comprises an instruction to rotate the first recovery key in an instance in which a period of time has expired from the first recovery key being transmitted to the second managed client device. 
     
     
       20. The computer-implemented method of  claim 15 , further comprising:
 transmit the key rotation command to the first managed client device in an instance in which the first managed client device has become accessible on a network.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.